Summit 7 Team Blogs

Office 365 DFARS Frequently Asked Questions (and Answers) - Part 1

There are a lot of questions surrounding the upcoming DFARS requirements for DoD Contractors. What does it mean for your business? What happens if you're not compliant in time? To help guide you through the process, here are some questions and answers that you may need to know.

1. Can O365 be set up to alert our IT staff of a cyber-incident and create a report that holds all the information of the incident?

Yes, Office 365 can be set up to alert a group of chosen individuals based on rules and policies configured by the IT Security or IT Administrative staff. Office 365 can create audit and alert reports that can be used as a component of an incident report.

2. How are cyber incidents reported, and can they be directly reported to the proper authorities automatically?

Reporting a cyber-incident requires a DoD approved medium assurance certificate. The required interaction with the certificate makes automatic reporting more difficult. All cyber incidents must be reported to https://dibnet.dod.mil within 72 hours.

3. Can O365 enforce policies and procedures automatically - such as improper downloading of documents, emailing sensitive information, and improper sharing of documents?

Yes, there are various toolsets within the Office 365 platform that can help you control this type of interaction. These capabilities are included in the Rights Management Services, Advanced Security Management and Data Loss Prevention.

4. Since O365 is updated by Microsoft, how will we know if a change they make doesn’t align with the compliance points in the future?

Microsoft maintains their datacenters and platforms to meet compliance for dozens of international standards. The datacenters are constantly going through compliance audits so it is critical that any updates that they make to the environment will not compromise the various security and compliance configuration.

5. Where can I get training on security awareness and incident prevention in O365?

We do not currently have a publicly available course on Office 365 DFARS Security Awareness. However, if you have a specific need we may be able to provide a session customized to your organizational needs.

6. Can I get a risk assessment for my environment?

We have a great set of partners who can provide DFARS Policy Assessments and Risk Assessments. Summit 7 Systems can provide assessments of your existing Office 365 platform to help you build a gap analysis between where you are and NIST 800-171 compliance.

This FAQ is part of a series. Be sure to subscribe and get notified when there's a new post, or check back soon for the next post in the series!